refactor: split "real" modules and "config" modules

config/optional/initrd-ssh.nix

@@ -0,0 +1,29 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519";
+
+  boot.initrd.network.enable = true;
+  boot.initrd.network.ssh = {
+    enable = true;
+    port = 4;
+    hostKeys = [config.age.secrets.initrd_host_ed25519_key.path];
+  };
+
+  # Make sure that there is always a valid initrd hostkey available that can be installed into
+  # the initrd. When bootstrapping a system (or re-installing), agenix cannot succeed in decrypting
+  # whatever is given, since the correct hostkey doesn't even exist yet. We still require
+  # a valid hostkey to be available so that the initrd can be generated successfully.
+  # The correct initrd host-key will be installed with the next update after the host is booted
+  # for the first time, and the secrets were rekeyed for the the new host identity.
+  system.activationScripts.agenixEnsureInitrdHostkey = {
+    text = ''
+      [[ -e ${config.age.secrets.initrd_host_ed25519_key.path} ]] \
+        || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${config.age.secrets.initrd_host_ed25519_key.path}
+    '';
+    deps = ["agenixInstall" "users"];
+  };
+  system.activationScripts.agenixChown.deps = ["agenixEnsureInitrdHostkey"];
+}

config/optional/laptop.nix

@@ -0,0 +1,21 @@
+{
+  systemd.network.wait-online.anyInterface = true;
+
+  services = {
+    tlp.enable = true;
+    physlock.enable = true;
+    logind = {
+      lidSwitch = "ignore";
+      lidSwitchDocked = "ignore";
+      lidSwitchExternalPower = "ignore";
+      extraConfig = ''
+        HandlePowerKey=suspend
+        HandleSuspendKey=suspend
+        HandleHibernateKey=suspend
+        PowerKeyIgnoreInhibited=yes
+        SuspendKeyIgnoreInhibited=yes
+        HibernateKeyIgnoreInhibited=yes
+      '';
+    };
+  };
+}

config/optional/sound.nix

@@ -0,0 +1,37 @@
+{
+  lib,
+  minimal,
+  pkgs,
+  ...
+}:
+lib.optionalAttrs (!minimal) {
+  # Helpful utilities:
+  # Show pipewire devices and application overview or specifics
+  # > wpctl status; wpctl inspect <id>
+  # View real time node and device statistics
+  # > pw-top
+  # Show actual used playback stream settings
+  # > cat /proc/asound/card*/pcm*p/sub*/hw_params
+  # Compare resamplers on: https://src.infinitewave.ca/
+
+  sound.enable = false; # ALSA
+  hardware.pulseaudio.enable = lib.mkForce false;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    jack.enable = true;
+    pulse.enable = true;
+    wireplumber.enable = true;
+    extraConfig.pipewire."99-allowed-rates"."context.properties"."default.clock.allowed-rates" = [
+      44100
+      48000
+      88200
+      96000
+      176400
+      192000
+    ];
+  };
+
+  environment.systemPackages = with pkgs; [pulseaudio pulsemixer];
+}

config/optional/zfs.nix

@@ -0,0 +1,45 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  boot.supportedFilesystems = ["zfs"];
+  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+
+  # The root pool should never be imported forcefully.
+  # Failure to import is important to notice!
+  boot.zfs.forceImportRoot = false;
+
+  environment.systemPackages = with pkgs; [zfs];
+
+  services.zfs = {
+    autoScrub = {
+      enable = true;
+      interval = "weekly";
+    };
+    trim = {
+      enable = true;
+      interval = "weekly";
+    };
+  };
+
+  services.telegraf.extraConfig.inputs = lib.mkIf config.services.telegraf.enable {
+    zfs.poolMetrics = true;
+  };
+
+  # TODO remove once this is upstreamed
+  boot.initrd.systemd.services."zfs-import-rpool".after = ["cryptsetup.target"];
+
+  # After importing the rpool, rollback the root system to be empty.
+  boot.initrd.systemd.services.impermanence-root = {
+    wantedBy = ["initrd.target"];
+    after = ["zfs-import-rpool.service"];
+    before = ["sysroot.mount"];
+    unitConfig.DefaultDependencies = "no";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.zfs}/bin/zfs rollback -r rpool/local/root@blank";
+    };
+  };
+}